That's the brilliant "editing" work of timothy. The original articles used "organized and systematic" attack but timothy must have thought that was too clear and not redundant enough for the slashdot title.

Yes, I was partly being compulsively silly. The quotes convey the extra info that AT&T describes it as a targeted attack. A title without repetitition of words might have been "Targeted attack" for AT&T user info" or something...

"It is not not believed that the perpetrators of this attack obtained access to sensitive information"if they had ATT certainly would not tell anybody... and if they were REALLY good ATT wouldn't know.

"It is not not believed that the perpetrators of this attack obtained access to sensitive information"
if they had ATT certainly would not tell anybody... and if they were REALLY good ATT wouldn't know.

Close, but I see that you are not fluent in corporate double-speak. Allow me to translate, my friend.
"We are not ready to grudgingly admit that the perpetrators of this attack obtained access to sensitive information. On advice from counsel, not to mention our friends at Sony, we going to go with that story, for now."

When I signed up for a UVerse account, they provided the login details. They had my username (previously tied to DSL), no biggie. But then the technician at the house was able to pull up my password. MY password. It's stored in a reversible manner (if encrypted at all)- why the fuck? This does not surprise me that AT&T was targeted, and I'm sure they have millions of customers that believe they password is safe.
Since then, I don't trust AT&T or that account for anything important.

Believe it or not, AT&T is actually pretty serious when it comes to sensitive personal information.( I have to re-take the training at least yearly about it )

Full drive encryption on all desktop and laptop systems are pretty much the standard. Software firewalls andanti-virus updated constantly. Forced password changes on a scheduled basis with complexity rules in fulleffect. Access to servers which hold SPI are limited and those accounts are either passphrase level loginsor RSA SecurID tokens.

Believe it or not, AT&T is actually pretty serious when it comes to sensitive personal information.( I have to re-take the training at least yearly about it )

AT&T is a multi-headed beast of a company with dozens of divisions. It's highly likely that in your area, AT&T may be highly security conscious while in the UVerse area, they couldn't secure two pieces of paper using a stapler... having reversible encryption is an incredibly bad security exposure (GP post's anecdote).

Forced password changes on a scheduled basis with complexity rules in fulleffect.

This has actually proven to be bad, as folks will likely resort to writing down their passwords... or if they infrequently use the system, they just keep using the "forgot, email me"

I used to work for ATT. People working in the same building don't even know the job responsibilities of people across the hall... much less across the country. ATT would do things like: Give one of their departments a free data line. This line was still billed, but they'd put it on an account that was paid by ATT itself. There were thousands of lines on these accounts and they'd bill in the millions, but it didn't matter because ATT would pay it themselves right? Well, the problems arose when ATT would lay-

It appears that they are just enumerating which phone numbers are set up with online account access. This can be done via the account setup page. The login page itself will not tell you if an account exists or doesn't exist, but the setup page will. Likely, this is a first step to later brute force passwords. Given that the username is the phone number, they can then just try and find one that has an account set up with AT&T's web site. The daily internet storm center podcast had some details about this. http://isc.sans.edu/podcastdetail.html

The article has a quote similar to that one, but with different wording that leaves them actually very little wiggle room.

âoeWe recently detected an organized and systematic attempt to obtain information on a number of AT&T customer accounts, including yours,â AT&T said in an e-mail to customers. âoeWe do not believe that the perpetrators of this attack obtained access to your online account or any of the information contained in that account.â

Considering the type of attack they describe this sounds more like a scouting mission rather than a full on attack.